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Abstract 

In this article we give the details of an effective point counting algorithm 
for genus two curves over finite fields of characteristic three. The algo- 
rithm has an application in the context of curve based cryptography. One 
distinguished property of the algorithm is that its complexity depends 
quasi-quadratically on the degree of the finite base field. Our algorithm is 
a modified version of an earlier method that was developed in joint work 
with Lubicz. We explain how one can alter the original algorithm, on the 
basis of new theory, such that it can be used to efficiently count points on 
genus two curves over large finite fields. Examples of cryptographic size 
have been computed using an experimental Magma implementation of the 
algorithm which has been programmed by the author. Our computational 
results show that the quasi-quadratic algorithm of Lubicz and the author, 
with some improvements, is practical and relevant for cryptography. 

1 Introduction 

In this article we give the details of an effective point counting algorithm for 
genus two curves over finite fields of characteristic three, the complexity of which 
depends quadratically on the degree of the finite base field. Our algorithm is 
a modified version of an earlier method that was developed in joint work with 
Lubicz ^ . The main purpose of this paper is to show that the original algorithm 
of Lubicz and the author, with some improvements based on new theory, is 
practical for genus 2 curves over finite fields of cryptographiy size. We conclude 
that our point counting algorithm is relevant for curve based cryptography. The 
importance of genus 2 cryptosystems comes from the fact that the size of the 
base field can be chosen significantly smaller, namely half the size, than in the 
case of elliptic curve systems at the same security level. This makes genus 
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2 curves attractive for applications on crypto-devices with limitations on the 
computing resources. On the other hand, the quasi-quadratic dependency on 
the size of the base field makes it possible to compute curves over huge finite 
fields which are suitable for cryptography on the highest level of security. 

Our point counting algorithm can be used for the generation of the key data 
that is necessary for public key cryptography on the basis of low genus curves 
over finite fields. Usually, the key data of an algebraic curve cryptosystem 
consists of the following objects 

(I) a non-singular projective curve C over a finite field with q elements, 

(II) a computational model of the Jacobian group variety Jc of the curve C, 

(II) points P,Q ^ Jc(Fg) such that there exists an m G N with [m]{P) — Q. 

Given the above data one can for example encrypt or sign data using the generic 
ElGamal method. For a detailed discussion of curve based cryptography we refer 
to [5]. The problem of finding the number m from the given tuple 

i¥„C,Jc,P,Q) (1) 

is called the discrete logarithm problem. A curve C over a finite field as 
above is considered as secure if the cardinality q of the finite field F^ is such 
that the discrete logarithm problem in the group of F^-rational points J{¥q) 
is computationally infeasible. Provided that q has been chosen suitably large, 
giving the required security level, one has to make sure that the number of 
Fq-rational points #Jc(]Fg) of the Jacobian has a large prime factor of bit size 
almost equal to g-\og2{q), where g denotes the genus of the curve C. Under these 
assumptions, the generic methods for solving the discrete logarithm problem are 
not applicable. The choice of a sufficiently large finite field F^ is a matter of 
finding a trade off between the desired security level and the efficiency of en- 
and decryption functionality. To check whether a given key data ([T]) is secure 
in the above sense one has to compute and factorize the group order #Jc(Fg). 
In this article we discuss the following problem in a special case. 

Problem 1.1 For a given finite field ¥q and a given curve C over¥q, compute 
the number ^Jc{¥q). 

Lubicz et al. have proven in [4] and |10j that there exists a quasi-quadratic al- 
gorithm which solves the Problem 1 1.11 in the case where the curve C is ordinary 
and hyperelliptic. Since their method depends polynomially on the character- 
istic of the finite field, in practice it is limited to small characteristics. In this 
article we describe some improvements of the original algorithm, based on new 
theory, and an implementation of the improved algorithm for ordinary genus 2 
curves over finite fields of characteristic 3. This implementation has enabled us 
to compute examples of cryptographic size in a reasonable amount of time. Our 
computational results show that the method of Lubicz and the author, with 
some modification, is practical and relevant for cryptography. 

Let us now recall the precise result (compare ^ Th.3.1]) in the special case 
that is discussed in this article. 
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Theorem 1.2 One can give an effective algorithm which computes for an ex- 
plicitly given non-singular ordinary genus 2 curve C , which is defined over a 
finite field ¥q of characteristic 3, the number #Jc{Vq) in time 0( log(g)^+'^) for 
all e> 0. 

We give the algorithm of Theorem 11.21 in Section [31 Due to a hmited amount 
of space, we don't give a complete proof of the correctness of our algorithm in 
here. 

Let us remind the reader that a distinguished property of our algorithm is 
given by the fact that it is quasi-quadratic in the degree of the finite field. Other 
algorithms by Kedlaya [3, Lauder and Wan [5] are just quasi-cubic, which makes 
a difference in practice if the size of the finite field is very large. The algorithm 
of this article performs well for genus two curves over finite fields of size far 
beyond the standards of state-of-the-art hyperelliptic curve cryptography. 

Leitfaden 

In Section [2] we give the details of the algorithm whose existence is claimed in 
Theorem II. 21 We give examples that have been computed using our algorithm 
in Section 131 

2 Algorithm 

In this section we give the algorithm which is subject to Theorem 11.21 By 
¥q we denote a finite field with q elements which is of characteristic 3. All 
computations in are supposed to be performed with polynomials in W^lx] 
modulo a fixed irreducible monic polynomial / over F3 with deg(/) = log3(q) 
using a fast polynomial arithmetic. With we denote the ring Z3 [x] modulo the 
ideal which is generated by a monic polynomial / e Z[x] such that f = f mod 3 
and deg(/) = log3(p). The ring is called the ring of Witt vectors with values 
in ¥q. We say that we are given an element x G with precision m if we have 
computed a bit string which represents the truncated 3-adic number x modulo 
3™. Let a e Endz.,(Zg) denote the unique lift of the 3-rd power Frobenius of 

The input of the point counting algorithm consists, first, of a finite field ¥q 
in the above presentation and, secondly, of an ordinary curve C which is given 
by an equation of the form 

y"^ = x{x - l){x - ei){x - e2)ix - es) (2) 

where ei, 62, 63 S F^ \ {0, 1} are pairwise distinct. We note that with only slight 
modification our algorithm can also be applied to hyperelliptic genus 2 curves 
of a more general form. The algorithm outputs the characteristic polynomial x 
of the Frobenius endomorphism of the Jacobian variety Jc of C which is given 
by the q-th powering map. From this one can obtain the number of Fg-rational 
points #Jc{¥q) of Jc by evaluating the polynomial x at the value 1. In the 
following sections we describe all steps of the point counting algorithm in detail. 
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(I) Compute a 6-theta null point Tg of the curve C. 

(II) Canonically lift the 6-theta null point Tg to a canonical theta null point 
Tg with sufficiently high precision. 

(III) Compute the norm Norm((5) of the determinant (5 of a lift of the relative 
Verschiebung in terms of the coefficients of Tg . 

(IV) Reconstruct the characteristic polynomial x from the approximated value 
for Norm((5). 



2.1 Computation of theta null points 

In this section we explain how to compute the 6-theta null point of a curve given 
by an equation of the form ([2]). First, one computes a 2-theta null point 

72 = (600,^01,^10,^11) (3) 
possibly over an extension field, using the following classical Thomae formulae 

boo = 1 (4) 

601 = 



bio = 



bii = 



'(ei 


- e4)(e2 


- e5)(e3 


- 64) 


(ei 


- e5)(e2 


- 64) (63 


- 65) 


l{ei 


- e2)(ei 


- 64) 




(ei 


- e3)(ei 


-es) 




/(ei 


- e2)(e2 


- e5)(e3 


- 64) 



(ei - e3)(e2 - e4)(e3 - 65) 



We note that for all possible roots in the formulas ^ one gets a valid 2-theta null 
point. In fact, the 2-theta null point computed by means of the formulae Q 
belongs to an abelian variety which is 2-isogenous to the Jacobian of the curve 
C defined by the equations ([2]). 

Let us fix some notation. We denote Z„ — (Z/nZ)^ for a natural number 
n > 1. Suppose further that we have chosen embeddings Z„ ^ Zm, whenever 
n\m. 

Now once the 2-theta null point is established, one needs to extend the latter 
point to a smooth 6-theta null point which we denote by Tg = {a,u)uGZe- The 
point Tg lies in the zero locus of the following equations 

1. symmetry relations 

y„ = Vu e Ze (5) 

2. Riemann relations 

Yui+tYwi+t ■ ^ Yzi+tYy^+t (6) 
teZ2 teZ2 

= ^ Yu2+tYw2+t ■ ^ yz2+tyy2+t 

t£Z2 t£Z2 
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where {ui,Wi, Zi,yi) G Zg ior i — 1,2 are equivalent quadruples. 

We consider quadruples {vi,Wi,Xi,yi) G Zq (i — 1,2) as equivalent if there exists 
a permutation matrix P G Mat4(Z) such that 

{vi +wi,vi-wi,xi+yi,xi -yi) 

The 2-theta null point T2 can be extended to a 6-theta null point Tg using the 
above relations ([U and ([6]). We set 

0.00 = ^OOj ^03 = ^Olj ^30 = &IO1 0-33 = ^11- 

Specializing the equations ([5]) and ^ at (000,003,0307^33) we obtain a zero 
dimensional algebraic set in the variables {Yu}ueZ6\Z2 (see [H Th.2.7]). The 
finiteness of this algebraic set enables us to solve for a completed 6-theta null 
point Tg = {au)ueZ6- 

Theorem 2.1 There exists a smooth 6-theta null point Tq ~ (auJueZg which 
forms an extension of the 2-torsion component (aoo, 003, 030, 033)- 

The proof of this fact involves sophisticated theory, so we are not able to give 
it in here. Here, smoothness means that some Jacobian criterion with respect 
to the Riemann relations and additional correspondence relations is satisfied at 
the point Tq. We will make that precise in Section [2^ We note that the smooth 
extension Tg of Theorem 12.11 belongs to an abelian surface which is isogenous 
to the Jacobian of the curve C. 

The following method forms an important improvement of the original algo- 
rithm as presented in [H §3]. Instead of solving the relations ^ and ^ for a 
smooth 6-theta null point Tg, we restrict to a smaller system of equations which 
makes the problem feasible in practice. Now consider the following subset of 
the Riemann equations in the variables i^io, ^13, ^20, ^23 which is given by the 
four equations 

= 000^20 + aooao3^23 + 000030^10 + aoo"33^i3 (7) 

+000003^20 + 100130^20 + 100033^20 + ^03^23 
+a03'^30^10 + fl03'^33^13 + a03«30^23 + 003^33^23 

+•^30^10 + a3o'^33^13 + 130033^10 + «33^13 + '^^10 

_1_V2 _i_ v'^ _1_ _1_ OV^ -1- 

"r^l0^20 "T J^10-'^13 "T -'^10-'^ 23 ^-"^20 + ^20^13 

+^20^23 + 21^3 + ^13^23 + 25^23 

= 2aooa33yi3 -I- 2aooao3a3oYi3 -I- 2000003033^10 

-t-2aoo030033 l23 + 2000033^20 + 2aQ303oYlo 
+2003030^^23 + 2O03O30O33F20 + 2yioi^23 
+^10^20^13^23 + 2^20^13 

= 2oqq03o1io + 2000O03O30Y13 + 2000003033110 
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+2aooci3o^2o + 2000030033^23 + 2003033^13 

+2003030033^20 + 2003033^23 + 2^10^20 
+yL0^20^13^23 + '^XZ^'IZ 
= 20ooOo3y23 + 2O00O03F20 + 2O00O03O30Y13 

+2000003033^10 + 2O00O30O33F23 + 2O03O30O33F20 
+2030033^13 + 2O30O33Y10 + 2Y10Y13 

+^10^20^13^23 + 2y20^23 

where it is assumed that the finite field elements 000,003,030 and 033 have 
already been computed. 

Theorem 2.2 The system of equations Q defines a zero dimensional algebraic 
set. 

The system ([7|) is readily solved by a standard Groebner basis algorithm on a 
normal desktop computer over finite fields of cryptographic size. For simplicity, 
we now assume that the given values ooo , 003 , 030 , 033 are defined over the field 
F,. 

Theorem 2.3 A smooth 6-theta null point Tq = (o„)„g2g is L-rational over a 
field extension L of¥q such that [L : ¥q] divides 48. 

Let us remark that in most cases the degree of the field extension is small. Our 
computations show that for many examples it has degree lower or equal than 
3. As a consequence of Theorem I2.3[ one can compute for increasing extension 
degree the set S of four tuples (010,013,020,023) that form a solution of the 
system (O . The homogeneity of the space of solutions of the Riemann relations 
with respect to the action of the automorphism group of the theta group implies 
that the solution set S also contains the quadruples 

(oi4. Oil, O22, O25) 

(032, 031,002,001) 
(ai2, oi5, 024, 021) 

Thus, by forming all possible combinations of solutions in S, one obtains as set 
of possible candidates for the 6-theta null point Tq = {au)ueZe- This completes 
our exposition of the initial computations in Step (I) of our algorithm. 

Finally, let us give some further details of our implementation. One can 
quickly test whether a candidate for Tg is a valid 6-theta null point using the 
special theta relation 

= 2aooOioOoi03i + 2000O20O31 + 2000O13O02O31 

+2000023031032 + 2ao30ioOoi032 + 2003020031032 
+2003013002032 + 2003O23O32 + 2o3oOioaoi 
+2030020001031 + 2030013001002 + 2030023001032 
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+2a33aioaoiao2 + 2a33a2oao2a3i + 2a33ai3aQ2 
+2a33a23ao2a32 + aioa25a2i + aioa2oaiia2i 

+010020025^15 + 010013022021 + 010013025024 

2 

+O10O23O14O21 + O10O23O25O12 + O20O11O15 

+O20O13O11O24 + O20O13O22O15 + O20O23O11O12 
2 

+O20O23O14O15 + 0^3022024 + O13O23O14O24 

I I 2 

+013023022012 + O23O14O12 

The smoothness of a candidate for Tg is tested by computing the rank of the 
Jacobian matrix with respect to the Riemann relations, taken together with the 
correspondence relations ([5]) and ^ that we introduce at a later point. We 
will give a precise formulation of the smoothness criterion in Section [2?2l We 
remark that a different method for the computation of the 6-theta null point is 
suggested in [5]. 



2.2 Canonical lifting 

We use the notation of the preceding section. The computation of the canonical 
lifted 6-theta null point Tg is realized by applying a Hensel lifting algorithm to 
a system of equations that we define in the following. 
Consider the system of correspondence relations 

where w,u G Z2, and 

Xxi+zXy^+z ■ ^ -'^i;2+3m^u.2+m (9) 

~ ^ ^ Xx2+zXy2-\-z ' ^ ^ X^u^^^u^Wi+U 

zeZ2 u<£Ze 

where {xi,yi,Vi,Wi) G S (i — 1,2) and S is defined as the set of all 4-tuples 
{x, y, V, w) € Zg such that the sets {x + y,x — y} and {v + 3w, v — 3w} are equal 
and contained in Z3. 

By general theory (compare ^ and pLi) there exists a canonical lift Tq = 
{du)uiaZe of the 6-theta null point Tg = {au)ueZe to Z^. 

Theorem 2.4 The points Tq and Tq — (a„ )ueZe satisfy the correspondence 
relations Q and Q; one evaluates the variables Xu and Yu with the values 
du and o^ , respectively. 

For the subset of correspondence equations ^ the Theorem 12.41 follows from 
[H Th.2.1]. In the case of the equations ([8]) a proof of the Theorem 12 .41 can be 
found in the forthcoming preprint [5] . 

Next we give a precise definition of the smoothness condition that is subject 
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to Theorem 12.11 It is convenient to use a short representation of 6-theta null 
points {xu)ui£Ze of the following shape 

(a^oi, a;o2, a;o3, a^io, a;ii, a:i2, 2:13, 114, 0:15, 
a;20, a;2i, a;22, a;23, a;24, 0:25, ^30, a;3i, 0:32, X33) 

which is justified by the symmetry equations ([S]) and the fact that in almost all 
cases one can normalize with respect to xqq. We set 

U = {01,02,03,10,11,12,13,14,15, 
20, 21, 22, 23, 24, 25, 30, 31, 32, 33}. 

By evaluating loo at 1 and by replacing, if necessary, Yu by Y-u we can assume 
that the Riemann relations ^ are given by a set TZ of polynomials in the 
variables Y^ where u € U. By the same procedure, and by evaluating Xqq at 1, 
we obtain from the correspondence equations ([8]) and ^ as set of polynomials 
C in the variables and where u £ U. 

Definition 2.5 We call a ¥q-rational simultaneous zero {au)u£U of the polyno- 
mials in the set TZ a smooth point, if there exist polynomials /i , . . . , /ig d TZUC 
such that the matrix of partial derivatives 

has non-zero determinant at the point (a„) x (a^), where the index u ranges 
over U . 

It is straight forward to test computationally, whether an Fg-rational solution 
{au)u£Ze, of the relations ([5]) and © is smooth in the sense of Definition 12.51 
For example, one can form the Jacobian matrix of all relations in the set 72. U C 
with respect to the the variables {Y^} and test whether the rank of the resulting 
matrix is equal to 19 at the point x (a^). 

Now assume that we are given a smooth 6-theta null point Tg = (a„)„g[/. 
To find polynomials /i , . . . , /19 in 72. U C as in Definition 12. 5[ one searches over 
all polynomials in TZ until one has found 16 relations such that their Jacobian 
matrix has rank equal to 16. Then one has to find 3 additional polynomials in 
C such that the vertical join of the Jacobian matrices has rank 19 in total. As 
in Definition 12.51 we denote the Jacobian matrix of the resulting polynomials 
/i, . . . , /ig with respect to the variables {Yu}u£U by Dy ■ The matrix of partial 
derivatives of these polynomials with respect to the variables {Xu\u&u is de- 
noted by Dx- We note that necessarily the determinant of Dx at {ou) x (a^) 
equals zero. 

We define a function $ : Zj^ x Zj^ If by setting 

^{x,y) = {fi{x,y),...,f,,{x,y)). (10) 

for all {x,y) — {xu)ueu ^ {yu)ueu G Z^^ x Zj^. Suppose that we want to 
compute the canonical lift Tg — {au)ueu of the 6-theta null point Tg with given 
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precision m. Assume that we are given Tg with precision [771/2]. By Theorem 
2.4lwe have 



$ 6 , ff ) = mod 3 (11) 
Using Taylor expansion it follows from the congruence (fTTj) that 

= $ (fg + 3^^/21 . A, ff + 3^^/21 . A-^') mod 3"^ (12) 
where A G Zj^, is equivalent to the congruence 

^ ■ Dy{n,ff)-^ ■ $ {T,,ff) (13) 

+A'"' mod3r'"/2l. 

Here we use the fact that the point Tg = (a„)„g[/, which is the reduction 
of Tg = (au)ugj/ modulo 3, is a smooth point, and consequently, the matrix 
DyCTqjTq ) is invertible modulo Hence, by solving the generalized 

Artin-Schreier equation (|13p one can compute a A G l^g^ with precision [?77,/2] 
which solves the congruence p^ . 

In the following we describe an algorithm for the solution of the above special 
type of generalized Artin-Schreier equation. Again this is done by a Hensel 
lifting process. Suppose that we are given a solution A G of the congruence 

A'^' + ^ ■ A + i; = mod 3^''^^'^ 

where A,7; G and A G Mat(19,Zq) is a square matrix which is singular 
modulo 3. The above congruence implies that solving the congruence 

(A + 3^"/^! . ey' + A • (A + 3r"/2l . e) + v = mod 3" (14) 

where e G Zj^, is equivalent to solving the congruence 

e"'' + A- e + w = mod 3 r"/^! (15) 

where 

The above calculations can be summarized in a lifting algorithm for 6-theta null 
points which is based on the fact that it is computationally straight forward to 
solve Artin-Schreier equations modulo 3. Using the above Hensel lifting principle 
one can compute the canonical theta null point Tq to given precision in time 
depending quasi-linearly on the precision and the value log3 (q) . We will specify 
the precision that we use in our point counting algorithm in Section [ 
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We omit a detailed description of the method that we use to solve an Artin- 
Schreier equation of the form 

+A-e + w = mod 3. (16) 

where A is a singular matrix modulo 3. The solution of the congruence (jl6ll 
comes down to solving a linear system modulo 3. Since it is straight forward 
to adapt the method described in [ini Algo.5.2] to our situation, we don't give 
the details in here. This completes our description of the approximation of the 
canonically lifted 6-theta null point Tg that is the main objective of Step (II) of 
our algorithm. 

2.3 Recovery of the characteristic polynomial 

We use the notation of the preceding sections. For the rest of this section 
let denote the field of definition of the 6-theta null point Tg = {au)ueZ6- 
Assume that we are given the canonically lifted 6-theta null point Tq — {a,u)ueZs 
with precision m. Suppose that we have normalized Tg such that aoo — 1. 
Let TTi , 712 be the 3-adically invertible eigenvalues of the absolute g-Frobenius 
endomorphism on the Jacobian variety Jc of the curve C which is given by the 
equation 0. We set 

TTi — — and ■7f2 = — . (17) 

TTl 7r2 

Then the characteristic polynomial of Frobenius is given by the following poly- 
nomial with Q-cocfhcients 

X{T) = {T- 7ri)(T - 7r2)(T - 7fi)(T - #2). 

We note that the product 7ri7r2 of eigenvalues can be regarded as an element in 
Z3 in an obvious way. We set 

2 

<5 = 1 + 2(ao2 + 020 + 022 + 024)'^ • 
The number 5 is called the determinant of relative Verschiebung. 
Theorem 2.6 One has 

Normz^/Z3(^) = ±7ri7r2 

An equivalent formula has been established in Th.2.8]. A purely algebraic 
proof of Theorem l2.6l is given in the forthcoming preprint [5 . Theorem 12.61 im- 
plies that we can compute the product of eigenvalues 7ri7r2 up to sign with given 
precision. This concludes our remarks regarding Step (III) of our algorithm. 

In the following we describe how one can compute a list of candidates for 
the characteristic polynomial x{T), which is part of Step (IV) of our algorithm. 
We note that the number of Fg-rational points of the Jacobian variety Jc of C 
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is given by One can eliminate the false candidates for x(^) by evaluat- 

ing at 1 and performing point multiplications with random points in the group 
Jc'i^q)- We remark that there is a well-known algorithm for the addition of 
divisor classes in the group Jci^q)- This is folklore, so we don't give the details 
here. In the following we ignore the field extension that is necessary to compute 
a rational smooth 6-theta null point Tg. An extension of the base field of the 
curve C can be compensated by taking appropriate roots of the eigenvalues tti 
and TT2- 

Now let us briefly describe how one can compute the characteristic polyno- 
mial x(T) from the approximated product of eigenvalues ^1^2- Assume that we 
are given a 3-adic number tt such that tt = ±7ri7r2 mod 3™, where the precision 
is chosen such that m = 21og3(g) + 2. The polynomial 

-Psym(r) ^ (T - TTlTTl + 7fl7f2)(r - 7ri7f2 + 7fl7r2) 

is called the symmetric polynomial associated to x(r). In order to compute the 
characteristic polynomial x(r), one first computes candidates for the symmetric 
polynomial Psyin(T') in terms of tt. By the above discussion one has 

Psy^^iT) = ~ sT + qt (18) 

for some integers s and whose absolute value is smaller or equal to 9q. There 
exists an sq e Z, whose residue Sq modulo 9 lies in the interval [0, ... ,8], such 
that s = ±7r + sqq mod 9q. The algorithm for computing s simply tries all of 
the above possibilities for the residue sq of sq. For each possible sq one gets a 
corresponding s, in terms of which we claim that one can compute the parame- 
ter t. Since |s| < 9q, one can for every possible integer s compute an exact value 

for So by the formula sq — — —. Finally, one chooses t = tt ■ sq mod 9q. 

The above described procedure determines a list of integer pairs {s,t) which 
give possible candidates for the polynomial Psym{T). 

Now assume that we are given roots a and /3 of a candidate for the polyno- 
mial Psym 

(T) in a suitable number field. Let n, . . . , T4 denote the roots of the 
polynomials Pi{T) ^ T"^ ~ aT + q^ and P2{T) = - /JT + in a suitable 
extension field of the rational numbers. Then candidates for the values ±7r^ 
and ±7r| can be computed up to sign as products TjT}~, where j,k G {1, . . . , 4}. 
By taking square roots one obtains candidates for the eigenvalues tti and 7r2. 
The latter values determine the characteristic polynomial x{T) by the formulae 
ifTT]). This finishes the exposition of our point counting algorithm. 

3 Practical results 

In this section we give an example of cryptographic size that was computed 
using our algorithm. A complete documentation of the example is available on 
the author's website 0. Let /(T) = T^^o + + 2 G F3[r]. We denote by 
T the congruence class of the polynomial T modulo the modulus /. Consider 
the hyperelliptic genus 2 curve C over the finite field F3120 — Fq[r]/(/) with 
defining equation 
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= + (27'"'^"'^^ + T^^^ + jrii5 _|_ 2^114 _|_ 27^112 

_^2j'i09 _(_ 2T^^'' + T^^'^ + yios _|_ 2^102 _|_ j.ioi 



_2ys 



2T 



84 



■T 



■83 



80 



2T 



■79 



+2T^^ + T"^^ + 2T'^^ + 2r^^ + 2T^^ + 2r'^^ 

_|_^65 _|_ 22^*^*^ -|- _|_ /ji59 _|_ 22^^"^ -|- 2T'^^ 
_|_2^54 _|_ /ji53 _|_ /2^52 _|_ 2^^-*- _|_ _|_ 22^'^'^ 

j^fie, ^ 2f'4''^ + 2f"*^ + f"*^ + 2f"*" + 2f^^ 
+f + 2T-'^''^ + 27'^'' + 2T-''^ + 2f + 27"^° 



2T^ 
2T 



2r^ 



17 



T 



16 



2T' 



15 



rpZ 

2f 



13 



+T^° + 2T^ + 2T^ + + + 2T^ + 2T)x^ 
_j_^2j^ii9 _|_ 2T'''"'^^ + 2T^^^ + y'-^-'^^ -|- 2^114 

^j.112 _|_ 2X'm -|- j-iio _|_ 2T'^*^^ + T^"^ -|- 2T^^'^ 

-]^2T^^^ -]r ^^^^ -|- ^^"^ _j_ ^T^^ -\- 2T^^ -\- 2T^'^ 



-T 



■91 



2T 
2T 



90 



89 



T 



83 



81 



2T' 



■80 



2r' 



T'^ + T 



74 



+2T'^^ + 2T'^° + T^'^ + 2T^^ + 2T^^ + 2T^^ 

_j_2^63 _j_ ^2^60 _|_ ^59 _|_ ^2^58 _|_ 2^56 _|_ ^^^55 
_j_^54 _|_ 2^51 _j_ 2'J^50 _j_ ^2^49 _^ ^47 _j_ ^46 

^22^44 _^ 2T"*2 + 2r^^ + T^*^ + 2T'^^ + 2T'^^ 

_^ J.21 _^ J.19 _^ J.17 _^ 2f'i'5 + 27"^^ + 2f'^^ 
_(_2j.ii + 7^9 + 2f''^ + + + 

+ 2T)a;3 + (2T"^ + T"^ + T"'^ + 2T"^ 

_|_2J'114 _|_ J.111 _|_ 2J'108 _|_ 2^107 _|_ J.105 _|_ 2J'104 



_^22^i03 _^ 2T^°^ + 2r^'^ + 2T"*^ + 2T^'' + T^^ 

_l_2^94 _|_ 2^^^ -|- _j_ 2^S3 _j_ ^82 _j_ 22^^^ 
_^2^78 _^ J.77 _^ 2f '^^ + 2T'^^ + 2f''^^ + f^'^ 
_j_22^71 _|_ /Ji69 _|_ 27^^^ -|- 2^67 _|_ 2^65 _j_ 2^64 _|_ 2^62 

+2T^^ + 27"^" + T"-"^^ + 2f^^ 

_|_yi50 _|_ 2X"49 I 0^48 



T 



2T 



47 



rp4:l _|_ 2^ 



40 



-2T 



39 



2r 



38 



2T 



37 



2T 



30 



^28 



+2r^^ + 2T^'^ + 2T^"* + 2r^^ + 2T^^ + 2T^ 
_l_2j.2a _^ 2^17 _^ 2T15 ^ j^i4 _|_ 27-12 _|_ 27-11 
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+ (2T"^ + 27""^ + 2T'"^ + 2T'"° + f^°^ 

_|_ jilOS _|_ j-lOe _|_ jilOS _|_ J.104 _|_ J.103 _|_ J.102 
_|_ J.99 _|_ J.98 _|_ J.96 _|_ 2X'95 _j_ 2y'94 _|_ j.93 

^2^90 _|_ 2T'89 _,_ 2X'87 ^ J.86 ^ 2T^^ + 2f^^ 

_j_^82 _|_ r^80 _j_ r^79 _^ ^78 _^ ^77 _^ ^76 

+2f + 2f''^^ + 27"^^ + T™ + 2f^'^ + 2f''^*^ 

_|_2^67 _j_ rp66 _j_ 22^65 _j_ ^62 _j_ ^61 _j_ ^57 
_j_2^5^ _|_ ^r^b3 _j_ 2^^2 _j_ /ji51 _j_ ^48 ^47 
_|_^46 _|_ /2^45 _^ /2^44 _|_ j^43 _j_ ^^42 _^ ^^41 

_^2^39 _j_ 2^38 rpST _|_ rjnSb _|_ rj^SA _|_ rjnSS 
_j_^32 _|_ 2^31 2^30 _|_ rp29 _|_ rjn2S _|_ rp27 

_|_2^26 _j_ ^25 _j_ ^24 _j_ r^23 _j_ ^22 _j_ (2^rj~i2\. 

j^fi9 ^ 2f'i'^ + 2f'" + T^^ + 2Ti2 + 2f" 
+ 2f'^ + + 2f ^ + + 2f')x 

The number of Fq-rational points on the Jacobian variety Jc of C equals 

32292460179985540075152248365 
95391097003917060756603284118 
54046812502670061472170389646 
4902240351775536748901686160 

The group order #Jc(Fq) has a large prime factor of size 369 bits. Also, by 
computing the minimal polynomials of the Igusa invariants of the curve C, one 
can verify that ¥q is a minimal field of definition for the curve C . Thus, the 
curve satisfies the requirements for a cryptographically secure genus 2 curve. 
The computation of the group order, using our algorithm, took 1394 seconds 
(CPU time) on an Intel Core 2 E7700 with 8Gb memory. Comparing the running 
time of our experimental implementation to the built in Magma implementation 
of Kedlaya's algorithm for genus 2 curves , one can see that our results are 
reasonable. 



4 Summary and perspectives 

In this article, we have given the details of an effective quasi-quadratic algorithm 
for point counting on ordinary genus 2 hyperelliptic curves over finite fields of 
characteristic 3, which performs very well in practice. Further improvement 
may be achieved regarding the following open problems of theoretical nature. 

1. Can one modify the general algorithm given in such that its complexity 
depends only polynomially on the logarithm of the characteristic of the 
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finite field ? Note that tlie original algorithm depends polynomially on 
, where p is the characteristic and g is the genus of the curve. 

2. Can one significantly reduce the number of variables in the canonical lifting 
algorithm which is described in Section [2] ? Some results that might turn 
out to be useful in this context are documented in [llj . 

3. By introducing coarse invariants, which are supposed to be expressions in 
certain theta constants, can one avoid the field extensions that in some 
cases are necessary to obtain a rational theta null point ? 

References 

[1] R. Carls. Galois theory of the canonical theta structure. Available at 
|http : //arxiv . or g/abs/math/0509092, 

[2] R. Carls. Point counting genus 2 example F3120. 

http : //www . uni-ulm . de/ index . php?id=19745. 

[3] R. Carls. Canonical coordinates on the canonical lift. J. Ramanujan Math. 
Soc, 22(1):1-14, 2007. 

[4] R. Carls and D. Lubicz. A p-adic quasi-quadratic point counting algorithm. 
Int. Math. Res. Not, 4:698-735, 2009. 

[5] R. Carls and S. Meagher. Equations defining isogeny classes of ordinary 
abelian varieties. Preprint. 

[6] J.C. Faugere, D. Lubicz, and D. Robert. Computing modular correspon- 
dances for abelian varieties. Preprint. 

[7] K.S. Kedlaya. Counting points on hyperelliptic curves using Monsky 
Washnitzer cohomology. Journal of the Ramanujan Mathematical Society, 
16:323-328, 2001. 

[8] N. Koblitz. Algebraic aspects of cryptography, volume 3 of Algorithms and 
Computation in Mathematics. Springer, 1998. 

[9] Alan G. B. Lauder and Daqing Wan. Counting points on varieties over finite 
fields of small characteristic. In Algorithmic number theory: lattices, num- 
ber fields, curves and cryptography, volume 44 of Math. Sci.Res. Inst. Publ., 
pages 579-612. Cambridge Univ. Press, 2008. 

[10] R. Lercicr and Lubicz D. A quasi-quadratic time algorithm for hyperelliptic 
curve point comiting. Ramanujan J., 12(3):399-423, 2006. 

[11] D. Lubicz and D. Robert. Computing isogenics between abelian varieties. 
Preprint available at http://arxiv.org/abs/1001.2016. 



14 



